Hello,
----- Original Message -----
> I set the suggested persistent queue to: /var/spool/audit/remote.log.
Right, that is a better default location. The attached patch updates the path
in other places.
MirekIndex: audisp/plugins/remote/audisp-remote.c
===================================================================
--- audisp/plugins/remote/audisp-remote.c (revision 470)
+++ audisp/plugins/remote/audisp-remote.c (working copy)
@@ -358,7 +358,7 @@
if (config.queue_file != NULL)
path = config.queue_file;
else
- path = "/var/lib/auditd-remote/queue";
+ path = "/var/spool/audit/remote.log";
q_flags = Q_IN_MEMORY;
if (config.mode == M_STORE_AND_FORWARD)
/* FIXME: let user control Q_SYNC? */
Index: audisp/plugins/remote/audisp-remote.conf.5
===================================================================
--- audisp/plugins/remote/audisp-remote.conf.5 (revision 470)
+++ audisp/plugins/remote/audisp-remote.conf.5 (working copy)
@@ -25,9 +25,6 @@
.IR tcp ,
the remote logging app will just make a normal clear text connection to the remote system. This is not used if kerberos is enabled.
.TP
-.I queue_file
-This is the absolute path to the file to be used as a persistent queue.
-.TP
.I mode
This parameter tells the remote logging app what strategy to use getting records to the remote system. Valid values are
.IR immediate ", and " forward " .
@@ -42,7 +39,7 @@
.I queue_file
Path of a file used for the event queue if
.I mode
-is set to \fIforward\fP. The default is \fB/var/lib/auditd-remote/queue\fP.
+is set to \fIforward\fP. The default is \fB/var/spool/audit/remote.log\fP.
.TP
.I queue_depth
This option is an unsigned integer that determines how many records can be buffered to disk or in memory before considering it to be a failure sending. This parameter affects the
--
Linux-audit mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/linux-audit
